DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling

Join the conversation #devseccon

Using Adversarial Modelling In Driving Secure Application Development

By Pishu MahtaniApplication Security ConsultantTrustwave SpiderLabs

Agenda

• Introduction• Overview• Goal of Adversarial Modelling• How do you conduct it?• Case Study• Conclusion• Q & A

Introduction ($whoami)

• Singaporean. Over 12 years of progressive experience in Information Security in various capacities.

• Previous roles as a pentester, auditor, incident response/forensics.• Application Security Consultant @ SpiderLabs, the advanced security team in

Trustwave.• Currently focused on security & privacy of applications, mobile and Internet of

Things (IoT) devices.• Professionally, previously contributed to the development of Center for Internet

Security (CIS) benchmarks and currently contributing to OWASP Mobile Security Testing Guide.

Overview

• Adversarynoun, plural adversaries.

1. a person, group, or force that opposes or attacks; opponent; enemy; foe.2. a person, group, etc., that is an opponent in a contest; contestant.

• Adversarial Modeling• A practice in identifying, learning and emulating the tactics, techniques and procedures

that may be adopted by a malicious user to defeat a system or an organization so as to build defences dedicated to countering such a threat.

• Example: if you design a castle and moat to keep out enemies, but do not realize the enemy has catapults that can breach castle walls from afar, then your castle is wholly ineffective against the threat you face.

Goal Of Adversarial Modelling

• Start thinking like the REALLY bad guy (if you haven’t started doing so).• Learn why they ALWAYS get in.• Ask yourselves these key questions when developing an application.

• What are your ‘Crown Jewels’?• What’s the worst that can happen?• Am I prepared with the correct understanding in developing a defensive and resilient

application that can deter the most motivated adversaries?• Do I want to suffer first and develop a strong and robust application and sleep well later?

• Enable you to start developing applications with an adversarial mindset!

Enterprise Adversarial Modelling Strategies

• Lockheed Martin Cyber Kill Chain• Mandiant APT Attack Lifecycle• DoD Joint Publication 3-13, 2006• MITRE ATT&CK Matrix

Adversary Model

• Adversary Type (AT) • Campaign Objective (CO) • Campaign Vehicle (CV) • Campaign Weapon (CW) • Payload Delivery (PD) • Payload Capabilities (PC)

Adversary Type (AT)

• Script kiddy • Hacktivist• Insider threat • Commercial hacking (for theft of IP, customer data, etc.) • Nation-state cyber warfare

Campaign Objective (CO)

• Account take-over/Identify fraud• Botnet farming• DDOS• Data/Intellectual property theft• Intelligence collection• Data/System destruction• Corporate/political agenda

Campaign Vehicle (CV)

• Spear-phish with link/attachment • Compromised legitimate website • Malicious website • Social engineering • Insider threat • Remote login • Physical media (USB/DVD) • Supply chain

Campaign Weapon (CW)

• IE, Firefox, Chrome exploit • Adobe Flash exploit • Oracle Java exploit • Microsoft Silverlight exploit • Microsoft Office macro • Adobe Reader exploit • User-installed malware • Socially engineered remote access

Payload Delivery (PD)

• Executable file – pre-assembled • Executable file – just-in-time assembly on-host • Process hijacking/ROP • Scripting • DLL injection/side-loading

Payload Capabilities (PC)

• Command and control (Backdoor for remote access)• DDOS • Privilege escalation • Keystroke logging• Screen capture • Ransomware• Network mapping • Lateral movement • Data discovery/archiving/exfiltration/corruption/destruction• System wiping

Characteristics of Adversarial Modelling Strategies

• Heavyweight process with substantial documentation• All encompassing, used in an enterprise level • Includes a very in-depth view of various existing mechanisms that are in place• Time-consuming and lots of work needs to be done

Let’s think about this

• Developers they write code• Faced with time constrains, deadlines…• Code needs to be pushed out ASAP. Deadline in 2 weeks.• If something is very complex, there must be a faster way to do it. • Security comes later (that’s why we have pentesters!), focus on

user experience first.

Reality of Application Development

Pentesters,overtoyou!Findthosebugsforus!Thankyou!

Adversarial Modelling for Applications

How do you conduct it?

• Create an overview of the application from a high level perspective• Define the all the actors that will use the system• Identify the primary components of the architecture of the system• Develop an transaction based application workflow (high-level) for the application from start to

finish incorporating the different elements of the application• Identify use cases for each individual function that is present in the application• Classify the different type of adversaries (misusers) that may compromise the system• Develop misuse cases for each valid use case in the application• Conduct an analysis at a high level view of the possible threats that can materialize in different

parts of the application. Focus on goal oriented threats.• Adopt a comprehensive application vulnerability classification list

Case Study

• Electronic Procurement Application• Used by the organization to create public tender opportunities for

the eventual procurement of goods and services to the organization• Users: Vendors (External) & Staff (Internal)• Connected to the Internet and thus accessible to everyone

Overview of the application

Actors (Users)

Transaction Based Application Workflow (1)

TenderingPhaseWorkflow

Transaction Based Application Workflow (2)

BidEvaluationWorkflow

Transaction Based Application Workflow (3)

AwardofContractWorkflow

Transaction Based Application Workflow (4)

PurchasingWorkflow

Use cases

• Use cases are a scenario-based technique for requirements elicitation.• Used as a modeling technique to analyze and specify functional requirements

in an early stage. • Provide scenarios about how the system works when the user is interacting,

and help to describe the requirements in a graphical way.• Put simply, a use case denotes as a function that a system should do.• In uses cases, an actor plays the role of the users that interact with the system

Use Cases (Sample)

Attacker Types (Misusers)

Threats (STRIDE)

Taxonomy of Software Vulnerabilities

• MITRE Common Weakness Enumeration (CWE)• Open Web Application Security Project (OWASP) – Top 10• Seven Pernicious Kingdoms (7PK)• Software Fault Pattern Clusters• CMU-SEI CERT Secure Coding Standards

Misuse Cases

• Introduced by Guttorm Sindre and Andreas Opdahl• Misuse cases are denoted as a function that a system should not

allow• In misuse cases, a malicious actor plays the function of the users

and spells out the situations that can break the system • Misuse cases analyze the interaction between applications and the

misusers• Tool for helping to think about your software the same way

attackers do

Misuse Cases (Sample)

Misuse Case Diagram

MisuseCaseDiagram(Victim:ProcurementOfficer)

Misuse Case Table

Conclusion

To Know Your Enemy, You Must Become Your Enemy.

Sun Tzu, The Art of War

Question? & Answer!

Join the conversation #devseccon

Thank you to everyone who contributed to the development of this presentation.

Twitter: @pishumahtani